Skip to content
This repository has been archived by the owner on May 2, 2024. It is now read-only.

Issue: podman with "--userns=keep-id" failes. #399

Open
2 tasks done
johne8 opened this issue Nov 14, 2023 · 1 comment
Open
2 tasks done

Issue: podman with "--userns=keep-id" failes. #399

johne8 opened this issue Nov 14, 2023 · 1 comment
Labels
bug Something isn't working

Comments

@johne8
Copy link
Contributor

johne8 commented Nov 14, 2023
edited
Loading

Is there an existing issue for this?

  • I have searched the existing issues and found none that matched mine

Describe the issue

Seems like the ownership for the filesystem get spoofed when using podman with "--userns=keep-id"

in the logfile i get
aad_auth[7954]: nss_aad: database error: invalid ownership for /var/lib/aad/cache/passwd.db, expected 0:0 but got 65534:65534
where "7954" equals the PID of podman (non-root)

I can fix this by doing the following changes to nss/src/cache/mod.rs (line 369):

            // skip ownership check if detected owned by nobody.
            if stat.uid() != 65534 {
                // Checks ownership
                if stat.uid() != file.expected_uid || stat.gid() != file.expected_gid {
                    return Err(CacheError::DatabaseError(format!(
                        "invalid ownership for {}, expected {}:{} but got {}:{}",
                        file.path.to_str().unwrap(),
                        file.expected_uid,
                        file.expected_gid,
                        stat.uid(),
                        stat.gid()
                    )));
                }
            }

Steps to reproduce it

  • make sure you have subuid and subgid added for the entraid user in /etc/subuid and /etc/subgid.
    example: user@tenant.onmicrosoft.com:165536:65536
  • login with the entraid user.
  • run example:
    podman run --rm -it --userns=keep-id ubuntu:latest bash
    you will get error:
    Error: error creating temporary passwd file for container {CONTAINERID}: failed to get current user: user: unknown userid {USERID}

Ubuntu users: System information and logs

journalctl -f | grep "_aad"
aad_auth[7954]: nss_aad: database error: invalid ownership for /var/lib/aad/cache/passwd.db, expected 0:0 but got 65534:65534

Non Ubuntu users: System information and logs

im using ubuntu

Relevant information

No response

Double check your logs

  • I have redacted any sensitive information from the logs
@johne8 johne8 added the bug Something isn't working label Nov 14, 2023
@johne8
Copy link
Contributor Author

johne8 commented Nov 14, 2023
edited
Loading

I added a pull request for the workaround.

@johne8 johne8 mentioned this issue Nov 14, 2023
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@johne8